As many of you know we recently lost half of our USA VPN network because of excessive abuse. Mainly the problem was that someone was attacking a bank from one of our modulating servers. We also generated quite a few copyright notices. To attempt to get the abuser off of our network before we either lost our servers or he succeeded and got the authorities involved we made a controversial (in some peoples eyes) decision to warn everyone that basic VPN service logging would be enabled on the server cluster he was using to launch the attack from in hopes that he would just leave and go somewhere else. By basic VPN service logging we are talking about general RADIUS logs and connection timestamps on our authorization databases solely to track the user down and get rid of them. No headers or session data would have been jeopardized. The data center got more abuse reports from bank of america and DMCA notices and pulled our server leases before we could enable basic logging.
In the past when it was just simple DMCA notices we choose to leave the data center and take our business elsewhere. We would have done the exact same thing this time had it been a simple matter of someone downloading some porn but because a financial institution is involved it becomes something else all together. The last thing we want is to be forced into a position where we must hand over information because of a subpoena. The fact of the matter is you are not paying us to hide your identity so you can go out and commit crimes. If we get legitimate abuse reports that someone is attempting to use our service to break into another network we feel we have a responsibility to our users to get the offending user off of our network before something happens that we cannot solve internally and if temporarily enabling timestamps and basic connection logs will allow us to identify the user and remove them from our service then that is what we will do. We have always been straight forward about our VPN service logging policy. It has always said in our terms of service that if required we will enable basic VPN service logging to track down and stop users that are abusing the service we provide.
I would like to make 1 final thing very clear. At this time LiquidVPN maintains 0 logs. Which means no time stamps, IP’s or Usernames are logged after you disconnect all traces of you are gone. Any VPN service that has removed all of the logging generally done by their authorization database and OpenVPN must temporarily enable these logs if they want to find and remove abusers when they come around. If you belong to the group of users that expect a VPN to maintain absolutely 0 logs like LiquidVPN then you must also be aware that the only way to remove someone who is using the VPN service for hacking, spamming, fraud or partaking in anything that would generate abuse reports is to enable time stamps and track users IP addresses and usernames while on the network or the network will be ruined quite quickly.
So we really have 2 viable solutions going forward.
- Enable basic VPN service logging so that we can track when a user connects to the service, the IP they get while they are connected to our network and the time that they are on our network. Many VPN providers that claim they do not log still keep this data so they can weed out the abusers.
- Be transparent and send out notices when serious abuse reports come and these basic logs must be enabled to let our users know we will be enabling logging of server IP addresses, Usernames and timestamps.
We have to take one of these two routes. There are no alternatives that I am aware of. If anyone has a viable alternative then by all means get in touch. If it is a good alternative and it is something we cannot setup internally then we will hire whoever we need to so we can put it in place.